Updating a DNSSEC config to use a different algorithm

Matthijs Mekking matthijs at isc.org
Mon Feb 1 14:14:53 UTC 2021


Depends on what your DNSSEC configuration is. Are you using 
dnssec-signzone/named? auto-dnssec maintain? inline-signing? 
dnssec-policy? dnssec-keymgr?

Yes there are a lot of ways to maintain DNSSEC in BIND. The recommended 
way forward is to use dnssec-policy. Migrating to it may still be a bit 
tricky*, but once you use it, changing a new signing algorithm is pretty 

1. Update your dnssec-policy, reload config.
2. Wait a little bit.
3. When the new DS is in the parent, run "rndc dnssec -checkds published
    on the right key id."
4. Also run "rndc dnssec -checkds withdrawn" on the id of the key that
    has its DS removed from the parent.
5. Have a celebratory drink.

Algorithm rollover with dnssec-policy will gracefully transition to the 
keys with the new algorithms, so during the rollover period you should 
see your zone being signed with two algorithms.

Best regards,


*In principal you can just switch to dnssec-policy with your existing 
key files and BIND will initialize key state files for those keys. But 
there is at least one known bug that deleted keys may be used again for 
signing (those deleted keys still have their key files in the key 
directory). [GL #2406]

On 01-02-2021 14:40, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)?

More information about the bind-users mailing list